Releases: gravitational/teleport
Teleport 16.2.0
Description
NLA Support for Windows Desktops
Teleport now supports Network Level Authentication (NLA) when connecting to Windows hosts that are part of an Active Directory domain. NLA support is currently opt-in. It will be enabled by default in a future release.
To enable NLA, set the TELEPORT_ENABLE_RDP_NLA
environment variable to yes
on your windows_desktop_service
instances. It is not necessary to configure the Windows hosts to require NLA - Teleport's client will perform NLA when configured to do so, even if the server does not require it.
More information is available in the Active Directory docs.
DocumentDB IAM authentication support
Teleport now supports authenticating to DocumentDB with IAM users and roles
recently released
by AWS.
Join Tokens in the Web UI
Teleport now allows users to manage join tokens in the web UI as an alternative
to the tctl tokens commands.
Database Access Controls in Access Graph
Database Access users are now able to see database objects and their access
paths in Access Graph.
Logrotate support
Teleport now integrates with logrotate by automatically reopening log files when
detecting that they were renamed.
Other improvements and fixes
- Failure to share a local directory in a Windows desktop session is no longer considered a fatal error. #45852
- Add
teleport.dev/project-id
label for auto-enrolled instances in GCP. #45820 - Fix an issue that prevented the creation of AWS App Access for an Integration that used digits only (eg, AWS Account ID). #45819
- Slack plugin now lists logins permitted by requested roles. #45759
- For new EKS Cluster auto-enroll configurations, the temporary Access Entry is tagged with
teleport.dev/
namespaced tags. For existing set ups, please add theeks:TagResource
action to the Integration IAM Role to get the same behavior. #45725 - Added support for importing S3 Bucket Tags into Teleport Policy's Access Graph. For existing configurations, ensure that the
s3:GetBucketTagging
permission is manually included in the Teleport Access Graph integration role. #45551 - Add a
tctl terraform env
command to simplify running the Teleport Terraform provider locally. #44690 - Add native MachineID support to the Terraform provider. Environments with delegated joining methods such as GitHub Actions, GitLab CI, CircleCI, GCP, or AWS can run the Terraform provider without having to setup
tbot
. #44690 - The Terraform Provider now sequentially tries every credential source and provide more actionable error messages if it cannot connect. #44690
- When the Terraform provider finds expired credentials it will now fail fast with a clear error instead of hanging for 30 seconds and sending potentially misleading error about certificates being untrusted. #44690
- Fix a bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. #4923
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
Teleport 16.1.8
Description
Security fix
[High] Stored XSS in SAML IdP
When registering a service provider with SAML IdP, Teleport did not sufficiently
validate the ACS endpoint. This could allow a Teleport administrator with
permissions to write saml_idp_service_provider
resources to configure a
malicious service provider with an XSS payload and compromise session of users
who would access that service provider.
Note: This vulnerability is only applicable when Teleport itself is acting as
the identity provider. If you only use SAML to connect to an upstream identity
provider you are not impacted. You can use the tctl get saml_idp_service_provider
command to verify if you have any Service Provider applications registered and Teleport acts as an IdP.
For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
desktop, application, database and discovery) are not impacted and do not need
to be updated.
Other fixes and improvements
- Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. #45791
- The terminal shell can now be changed in Teleport Connect by right-clicking on a terminal tab. This allows using WSL (
wsl.exe
) if it is installed. Also, the default shell on Windows has been changed topwsh.exe
(instead ofpowershell.exe
). #45734 - Improve web UI enroll RDS flow where VPC, subnets, and security groups are now selectable. #45688
- Allow to limit duration of local tsh proxy certificates with a new MFAVerificationInterval option. #45686
- Fixed host user creation for tsh scp. #45680
- Fixed an issue AWS access fails when the username is longer than 64 characters. #45658
- Permit setting a cluster wide SSH connection dial timeout. #45650
- Improve performance of host resolution performed via tsh ssh when connecting via labels or proxy templates. #45644
- Remove empty tcp app session recordings. #45643
- Fixed bug causing FeatureHiding flag to not hide the "Access Management" section in the UI as intended. #45608
- Fixed an issue where users created in
keep
mode could effectively becomeinsecure_drop
and get cleaned up as a result. #45594 - Prevent RBAC bypass for new Postgres connections. #45554
- tctl allows cluster administrators to create custom notifications targeting Teleport users. #45503
- Fixed debug service not enabled by default when not using a configuration file. #45480
- Introduce support for Envoy SDS into the Machine ID spiffe-workload-api service. #45460
- Improve the output of
tsh sessions ls
. #45452 - Fix access entry handling permission error when EKS auto-discovery was set up in the Discover UI. #45442
- Fix showing error message when enrolling EKS clusters in the Discover UI. #45415
- Fixed the "Create A Bot" flow for GitHub Actions and SSH. It now correctly grants the bot the role created during the flow, and the example YAML is now correctly formatted. #45409
- Mark authenticators used for passwordless as a passkey, if not previously marked as such. #45395
- Prevents a panic caused by AWS STS client not being initialized when assuming an AWS Role. #45382
- Update teleport debug commands to handle data dir not set. #45341
- Fix
tctl get all
not returning SAML or OIDC auth connectors. #45319 - The Opsgenie plugin recipients can now be dynamically configured by creating Access Monitoring Rules resources with the required Opsgenie notify schedules. #45307
- Improve discoverability of the source or rejected connections due to unsupported versions. #45278
- Improved copy and paste behavior in the terminal in Teleport Connect. On Windows and Linux, Ctrl+Shift+C/V now copies and pastes text (these shortcuts can be changed with
keymap.terminalCopy
/keymap.terminalPaste
). A mouse right click (terminal.rightClick
) can copy/paste text too (enabled by default on Windows). #45265 - Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #45225
- Adds SPIFFE compatible federation bundle endpoint to the Proxy API, allowing other workload identity platforms to federate with the Teleport cluster. #44998
- Add 'Download CSV' button to Access Monitoring Query results. #4899
- Fixed issue in Okta Sync that spuriously deletes Okta Applications due to connectivity errors. #4885
- Fixed bug in Okta Sync that mistakenly removes Apps and Groups on connectivity failure. #4883
- Fixed bug that caused some enterprise clusters to incorrectly display a message that the cluster had a monthly allocation of 0 access requests. #4923
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
--
labels: security-patch=yes, security-patch-alts=v16.1.5|v16.1.6
Teleport 15.4.16
Description
Security fix
[High] Stored XSS in SAML IdP
When registering a service provider with SAML IdP, Teleport did not sufficiently
validate the ACS endpoint. This could allow a Teleport administrator with
permissions to write saml_idp_service_provider resources to configure a
malicious service provider with an XSS payload and compromise session of users
who would access that service provider.
Note: This vulnerability is only applicable when Teleport itself is acting as
the identity provider. If you only use SAML to connect to an upstream identity
provider you are not impacted. You can use the tctl get
saml_idp_service_provider command to verify if you have any Service Provider
applications registered and Teleport acts as an IdP.
For self-hosted Teleport customers that use Teleport as SAML Identity Provider,
we recommend upgrading auth and proxy servers. Teleport agents (SSH, Kubernetes,
desktop, application, database and discovery) are not impacted and do not need
to be updated.
Other fixes and improvements
- Fixed an issue where Teleport could modify group assignments for users not managed by Teleport. This will require a migration of host users created with create_host_user_mode: keep in order to maintain Teleport management. #45792
- Fixed host user creation for tsh scp. #45681
- Fixed AWS access failing when the username is longer than 64 characters. #45656
- Permit setting a cluster wide SSH connection dial timeout. #45651
- Improved performance of host resolution performed via tsh ssh when connecting via labels or proxy templates. #45645
- Removed empty tcp app session recordings. #45642
- Fixed Teleport plugins images using the wrong entrypoint. #45618
- Added debug images for Teleport plugins. #45618
- Fixed FeatureHiding flag not hiding the "Access Management" section in the UI. #45613
- Fixed Host User Management deletes users that are not managed by Teleport. #45595
- Fixed a security vulnerability with PostgreSQL integration where a maliciously crafted startup packet with an empty database name can bypass the intended access control. #45555
- Fixed the debug service not being enabled by default when not using a configuration file. #45479
- Introduced support for Envoy SDS into the Machine ID spiffe-workload-api service. #45463
- Improved the output of
tsh sessions ls
to make it easier to understand what sessions are ongoing and what sessions are user can/should join as a moderator. #45453 - Fixed access entry handling permission error when EKS auto-discovery was set up in the Discover UI. #45443
- Fixed the web UI showing vague error messages when enrolling EKS clusters in the Discover UI. #45416
- Fixed the "Create A Bot" flow for GitHub Actions and SSH not correctly granting the bot the role created during the flow. #45410
- Fixed a panic caused by AWS STS client not being initialized when assuming an AWS Role. #45381
- Fixed
teleport debug
commands incorrectly handling an unset data directory in the Teleport config. #45342
Enterprise:
- Fixed Okta Sync spuriously deleting Okta Applications due to connectivity errors. #4886
- Fixed Okta Sync mistakenly removing Apps and Groups on connectivity failure. #4884
- Fixes the SAML IdP session preventing SAML IdP sessions from being consistently updated when users assumed a role or switched back from the role granted in the access request. #4879
- Fixed a security issue where a user who can create
saml_idp_service_provider
resources can compromise the sessions of more powerful users and perform actions on behalf of others. #4863 - Fixed the SAML IdP authentication middleware preventing users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol and user's didn't already have an active session with Teleport. #4852
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
--
labels: security-patch=yes, security-patch-alts=v15.4.13|v15.4.14
Teleport 14.3.23
Description
- Updated Go toolchain to
1.22.6
. #45196 - Teleport Connect now sets
TERM_PROGRAM: Teleport_Connect
andTERM_PROGRAM_VERSION: <app_version>
environment variables in the integrated terminal. #45065 - Fixed race condition between session recording uploads and session recording upload cleanup. #44980
- Prevent Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44976
- Improved stability of very large teleport clusters during temporary backend disruption/degradation. #44696
- Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44630
- Use the registered port of the target host when
tsh puttyconfig
is invoked without--port
. #44574 - Fixed Teleport Connect binaries not being signed correctly. #44473
- Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44467
- Fixed a low-probability panic in audit event upload logic. #44423
- Prevented DoSing the cluster during a mass failed join event by agents. #44416
- Added audit events for AWS and Azure integration resource actions. #44405
- Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44273
- Fixed a
kube-agent-updater
bug affecting resolutions of private images. #44193 - Prevented redirects to arbitrary URLs when launching an app. #44190
- The
teleport-cluster
chart can now use existing ingresses instead of creating its own. #44148 - Ensured that
tsh login
outputs accurate status information for the new session. #44145 - Fixes "device trust mode x requires Teleport Enterprise" errors on
tctl
. #44136 - Honor proxy templates in
tsh ssh
. #44031 - Fix eBPF error occurring during startup on Linux RHEL 9. #44025
- Fixed Redshift auto-user deactivation/deletion failure that occurs when a user is created or deleted and another user is deactivated concurrently. #43984
- Lowered latency of detecting Kubernetes cluster becoming online. #43969
- Teleport AMIs now optionally source environment variables from
/etc/default/teleport
as regular Teleport package installations do. #43960 - Fixed
teleport-kube-agent
Helm chart to correctly propagateextraLabels
to post-delete hooks. A newextraLabels.job
object has been added for labels which should only apply to the post-delete job. #43933 - Added audit events for discovery config actions. #43795
- Fixed startup crash of Teleport Connect on Ubuntu 24.04 by adding an AppArmor profile. #43651
- Extend Teleport ability to use non-default cluster domains in Kubernetes, avoiding the assumption of
cluster.local
. #43633 - Wait for user MFA input when reissuing expired certificates for a kube proxy. #43614
- Display errors in the web UI console for SSH sessions. #43492
- Updated
go-retryablehttp
tov0.7.7
(fixesCVE-2024-6104
). #43476 - Fixed an issue preventing accurate inventory reporting of the updater after it is removed. #43452
- Remaining alert TTL is now displayed with
tctl alerts ls
. #43434 - Fixed headless auth for SSO users, including when local auth is disabled. #43363
- Fixed an issue with incorrect yum/zypper updater packages being installed. #4686
- Fixed inaccurately notifying user that access list reviews are due in the web UI. #4523
- The Teleport updater will no longer default to using the global version channel, avoiding incompatible updates. #4475
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Teleport 15.4.12
Description
- Improved copy and paste behavior in the terminal in Teleport Connect. On Windows and Linux, Ctrl+Shift+C/V now copies and pastes text (these shortcuts can be changed with
keymap.terminalCopy
/keymap.terminalPaste
). A mouse right click (terminal.rightClick
) can copy/paste text too (enabled by default on Windows). #45266 - Updated Go toolchain to
1.22.6
. #45195 - Improved
tsh ssh
performance for concurrent execs. #45163 - Fixed regression that denied access to launch some applications. #45150
- Bot resources now honour their
metadata.expires
field. #45133 - Teleport Connect now sets
TERM_PROGRAM: Teleport_Connect
andTERM_PROGRAM_VERSION: <app_version>
environment variables in the integrated terminal. #45064 - Fix a panic in the Microsoft teams plugin when it receives an error. #45012
- Adds SPIFFE compatible federation bundle endpoint to the Proxy API, allowing other workload identity platforms to federate with the Teleport cluster. #44999
- Added warning on
tbot
startup when the requested certificate TTL exceeds the maximum allowed value. #44988 - Fixed race condition between session recording uploads and session recording upload cleanup. #44979
- Prevent Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44975
- Fix
tbot
FIPS builds failing to start due to missing boringcrypto. #44908 - Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets. #44884
- Machine ID can now be configured to use Kubernetes Secret destinations from the command line using the
kubernetes-secret
schema. #44804 - Prevent discovery service from overwriting Teleport dynamic resources that have the same name as discovered resources. #44786
- Teleport Connect now uses ConPTY for better terminal resizing and accurate color rendering on Windows, with an option to disable it in the app config. #44743
- Fixed event-handler Helm charts using the wrong command when starting the event-handler container. #44698
- Enabled Mattermost plugin for notification routing ruled. #4773
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Plugins
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
Teleport 16.1.4
Description
- Improved
tsh ssh
performance for concurrent execs. #45162 - Fixed issue with loading cluster features when agents are upgraded prior to auth. #45226
- Updated Go to
1.22.6
. #45194
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
Teleport 16.1.3
Description
- Fixed an issue where
tsh aws
may display extra text in addition to the original command output. #45168 - Fixed regression that denied access to launch some Apps. #45149
- Bot resources now honor their
metadata.expires
field. #45130 - Teleport Connect now sets
TERM_PROGRAM: Teleport_Connect
andTERM_PROGRAM_VERSION: <app_version>
environment variables in the integrated terminal. #45063 - Fixed a panic in the Microsoft Teams plugin when it receives an error. #45011
- Added a background item for VNet in Teleport Connect; VNet now prompts for a password only during the first launch. #44994
- Added warning on
tbot
startup when the requested certificate TTL exceeds the maximum allowed value. #44989 - Fixed a race condition between session recording uploads and session recording upload cleanup. #44978
- Prevented Kubernetes per-Resource RBAC from blocking access to namespaces when denying access to a single resource kind in every namespace. #44974
- SSO login flows can now authorize web sessions with Device Trust. #44906
- Added support for Kubernetes Workload Attestation into Teleport Workload Identity to allow the authentication of pods running within Kubernetes without secrets. #44883
Enterprise:
- Fixed a redirection issue with the SAML IdP authentication middleware which prevented users from signing into the service provider when an SAML authentication request was made with an HTTP-POST binding protocol, and user's didn't already have an active session with Teleport.
- SAML applications can now be deleted from the Web UI.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
Teleport 16.1.1
Description
- Added option to allow client redirects from IPs in specified CIDR ranges in SSO client logins. #44846
- Machine ID can now be configured to use Kubernetes Secret destinations from the command line using the
kubernetes-secret
schema. #44801 - Prevent discovery service from overwriting Teleport dynamic resources that have the same name as discovered resources. #44785
- Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44771
- Improved event-handler diagnostics by providing a way to capture profiles dynamically via
SIGUSR1
. #44758 - Teleport Connect now uses ConPTY for better terminal resizing and accurate color rendering on Windows, with an option to disable it in the app config. #44742
- Fixed event-handler Helm charts using the wrong command when starting the event-handler container. #44697
- Improved stability of very large Teleport clusters during temporary backend disruption/degradation. #44694
- Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44673
- Teleport no longer creates invalid SAML Connectors when calling
tctl get saml/<connector-name> | tctl create -f
without the--with-secrets
flag. #44666 - Fixed a fatal error in
tbot
when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44645 - Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44628
- Added Server auto-discovery support for Rocky and AlmaLinux distros. #44612
- Use the registered port of the target host when
tsh puttyconfig
is invoked without--port
. #44572 - Added more icons for guessing application icon by name or by label
teleport.icon
in the web UI. #44566 - Remove deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44485
- Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44465
- Added
application-tunnel
service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44443 - Fixed a regression that caused Teleport Connect to fail to start on Intel Macs. #44435
- Improved auto-discovery resiliency by recreating Teleport configuration when the node fails to join the cluster. #44432
- Fixed a low-probability panic in audit event upload logic. #44425
- Fixed Teleport Connect binaries not being signed correctly. #44419
- Prevented DoSing the cluster during a mass failed join event by agents. #44414
- The availability filter is now a toggle to show (or hide) requestable resources. #44413
- Moved PostgreSQL auto provisioning users procedures to
pg_temp
schema. #44409 - Added audit events for AWS and Azure integration resource actions. #44403
- Fixed automatic updates with previous versions of the
teleport.yaml
config. #44379 - Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44332
- Fixed PostgreSQL session playback not rendering queries line breaks correctly. #44315
- Fixed Teleport access plugin tarballs containing a
build
directory, which was accidentally added upon v16.0.0 release. #44300 - Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44275
- The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44237
- Prevented redirects to arbitrary URLs when launching an app. #44188
- Added a
--skip-idle-time
flag totsh play
. #44013 - Added audit events for discovery config actions. #43793
- Enabled Access Monitoring Rules routing with Mattermost plugin. #43601
- SAML application can now be deleted from the Web UI. #4778
- Fixed an Access List permission bug where an access list owner, who is also a member, was not able to add/remove access list member. #4744
- Fixed a bug in Web UI where clicking SAML GCP Workforce Identity Federation discover tile would throw an error, preventing from using the guided enrollment feature. #4720
- Fixed an issue with incorrect yum/zypper updater packages being installed. #4684
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
Teleport 15.4.11
Description
- Fixed an issue that could cause auth servers to panic when their backend connectivity was interrupted. #44787
- Reduced the probability that the event-handler deadlocks when encountering errors processing session recordings. #44772
- Improved event-handler diagnostics by providing a way to capture profiles dynamically via
SIGUSR1
. #44759 - Added support for Teams to Opsgenie plugin alert creation. #44330
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)
Teleport 15.4.10
Description
- Improved stability of very large teleport clusters during temporary backend disruption/degradation. #44695
- Resolved compatibility issue with Paramiko and Machine ID's SSH multiplexer SSH agent. #44672
- Fixed a fatal error in
tbot
when unable to lookup the user from a given UID in containerized environments for checking ACL configuration. #44646 - Fixed Application Access regression where an HTTP header wasn't set in forwarded requests. #44629
- Use the registered port of the target host when
tsh puttyconfig
is invoked without--port
. #44573 - Added more icons for guessing application icon by name or by label
teleport.icon
in the web UI. #44568 - Removed deprecated S3 bucket option when creating or editing AWS OIDC integration in the web UI. #44487
- Fixed terminal sessions with a database CLI client in Teleport Connect hanging indefinitely if the client cannot be found. #44466
- Added application-tunnel service to Machine ID for establishing a long-lived tunnel to a HTTP or TCP application for Machine to Machine access. #44446
- Fixed a low-probability panic in audit event upload logic. #44424
- Fixed Teleport Connect binaries not being signed correctly. #44420
- Prevented DoSing the cluster during a mass failed join event by agents. #44415
- Added audit events for AWS and Azure integration resource actions. #44404
- Fixed automatic updates with previous versions of the
teleport.yaml
config. #44378 - Added support for Rocky and AlmaLinux when enrolling a new server from the UI. #44331
- Fixed Teleport access plugin tarballs containing a
build
directory, which was accidentally added upon v15.4.5 release. #44301 - Prevented an infinite loop in DynamoDB event querying by advancing the cursor to the next day when the limit is reached at the end of a day with an empty iterator. This ensures the cursor does not reset to the beginning of the day. #44274
- The clipboard sharing tooltip for desktop sessions now indicates why clipboard sharing is disabled. #44238
- Fixed a
kube-agent-updater
bug affecting resolutions of private images. #44192 - Prevented redirects to arbitrary URLs when launching an app. #44189
- Added audit event field describing if the "MFA for admin actions" requirement changed. #44185
- The
teleport-cluster
chart can now use existing ingresses instead of creating its own. #44147 - Ensured that
tsh login
outputs accurate status information for the new session. #44144 - Fixed "device trust mode x requires Teleport Enterprise" errors on
tctl
. #44134 - Added a
--skip-idle-time
flag totsh play
. #44095 - Added the
tbot install systemd
command for installing tbot as a service on Linux systems. #44082 - Added ability to list access list members in json format in
tctl
cli tool. #44072 - Made
tbot
compilable on Windows. #44070 - For slack integration, Access List reminders are batched into 1 message and provides link out to the web UI. #44035
- Fixed denying access despite access being configured for Notification Routing Rules in the web UI. #44028
- Fixed eBPF error occurring during startup on Linux RHEL 9. #44024
- Lowered latency of detecting Kubernetes cluster becoming online. #43971
- Enabled Access Monitoring Rules routing with Mattermost plugin. #43600
Enterprise:
- Fixed an Access List permission bug where an access list owner, who is also a member, was not able to add/rm access list member.
- Fixed an issue with incorrect yum/zypper updater packages being installed.
- Fixed empty condition from unquoted string with yaml editor for Notification Routing Rules in the Web UI.
Download
Download the current and previous releases of Teleport at https://goteleport.com/download.
Download the current release of Teleport plugins from the links below.
- Slack (Linux amd64)
- Mattermost (Linux amd64)
- Discord (Linux amd64)
- Terraform Provider (Linux amd64 | Linux arm64 | macOS amd64 | macOS arm64 | macOS universal)
- Event Handler (Linux amd64 | macOS amd64)
- PagerDuty (Linux amd64)
- Jira (Linux amd64)
- Email (Linux amd64)
- Microsoft Teams (Linux amd64)